Concerns and Open Questions

During the civic digital trust workshop, we formed a breakout group to discuss limitations and concerns with the digital trust model. This section groups and lists the topics that were discussed and questions that were raised by the group.

Structure and Formation

Legislation in Ontario and potentially other jurisdictions is limited to allow the creation of a legal trust with open-ended beneficiaries, so new legislation maybe required to set up a new kind of legal entity.

Reaching agreement on use with diverse stakeholders is challenging. The draft aspirations and design principles will require trust participants to go significantly beyond mandatory legal recruitments. This includes voluntarily entering into a joint legal agreement(s).

The digital trust model is too abstract and immature to know how it really works yet. Therefore, most of the feasibility and viability issues are determined on a case by case basis rather than being repeatable.

Why will people and businesses submit data to the trust? Whats in it for them? Are the defaults: Explicit opt-in (automatically in) vs. opt-in (choice to be in) vs. opt-out (in automatically with options to opt-out)? Is there an ability to opt-out of collections (no-go zones)?

Who would gain value from trust? Who would be compensated? Businesses that generate data vs data-driven organizations: what are the models for equitable sharing?

Scope

What data is in and what is out? What is allowed use and what is not? What is the scope of authority for the trust? Who is accountable? What are the lines of communication with public, private sector and government? These are hard questions to get consensus on. To meaningfully address some uses the algorithms will need to be in scope.

Some of the concerns raised in a smart city that a trust might address relate to pre-existing private-market activity, such as mobile and consumer services data that might be combined with public realm data. For a trust to be effective, would it actually be given enough scope with respect to legal agreements and allowable uses to be useful? Can it address the broad spectrum of existing activity which maybe hard to define, agree and get participation for?

Geographic scope is hard to enforce and may not be a meaningful basis for determining scope of the trust, especially where the same data is collected under different consent agreements and for other uses outside of that geographic area. As the trust scales, geography is a less useful definition of scope than data content types and allowable uses.

If the beneficiary group is widely defined as any citizen or visitor to a zone in the city, who is allowed to bring action against the trust on their behalf and how?

Governance Challenges

Data in a trust is likely to have been collected under different consents or legal regimes. It is unlikely the multiple legal regimes can be harmonized. By voluntarily bringing data into the trust there is the need to clarify which has legal regime has precedence for the trust.

There will be significant cost and overhead for the trust to fulfill its duties. There must be a sustainable model to cover these costs for the long term. The trust will require specialist resources.

Different allowed uses by the trust may require opt-in versus opt-out by individuals / data subjects.

The trust will have to manage in an environment where meaningful consent may not realistically be achievable. Constructing measures to uphold the interests of data subjects and beneficiaries will require strong due diligence and clarity with regulators. While this has been achieved in healthcare for example, the established practices and understanding of risk versus collective benefit has yet to be fully understood and practical steps will need to be developed.

Must trustors fully cease ownership of data? Might they retain full ownership while handing over control, determination of allowable use, and enforcement of allowable use to the trust?

When a trustor donates data and/or code to a civic digital trust, what risks and legal obligations are also transferred to the trust?

Inclusive governance and decision making. How to manage different obligations with respect to private and public data? There is a potential for compliance rather than impact as central objective. How is compliance enforced?

The trustee needs to know what the interests of the beneficiaries are – so civil representation will be critical – such as through citizen representatives.

The potential of a data trust is in creating an additional fiduciary requirement on the trustees to manage data and algorithms in the interest of the beneficiary. However for that to be the case the beneficiary needs to be actually able to hold the trustee to account or enforce their interest. This means the beneficiary needs to know of a wrong; have the technical capacity to prove it; and then the financial capacity to enforce it.

Is a data trust less agile than more collaborative cross-sector data for good projects?

Technical Challenges

If the scope of the trust is only a legal framework with no technical controls it may become harder for the trust to enforce. In practice, it may end up as a more retrospective validation or audit process, rather than fully pro-active management body.

Technical controls make the tracking and enforcement of allowable data uses more realistic. However, such technology will add operating cost to the trust and create the need to integrate those technical controls with the technology used by the trustors and licensees, which imposes a cost of participation on them. Given the current state of the art in data use audit and tracking, some significant further development may also be required for sufficient functionality to be widely available.

Will the technical architecture of the trust be secure? What are the risks of re-identification?